On Mon, Nov 12, 2018 at 07:06:26PM +0300, Mika Westerberg wrote: > From: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx> > > Intel VT-d spec added a new DMA_CTRL_PLATFORM_OPT_IN_FLAG flag > in DMAR ACPI table for BIOS to report compliance about platform > initiated DMA restricted to RMRR ranges when transferring control > to the OS. The OS treats this as a hint that the IOMMU should be > enabled to prevent DMA attacks from possible malicious devices. > > A use of this flag is Kernel DMA protection for Thunderbolt[1] > which in practice means that IOMMU should be enabled for PCIe > devices connected to the Thunderbolt ports. With IOMMU enabled > for these devices, all DMA operations are limited in the range > reserved for it, thus the DMA attacks are prevented. All these > devices are enumerated in the PCI/PCIe module and marked with > an is_external flag. > > This forces IOMMU to be enabled if DMA_CTRL_PLATFORM_OPT_IN_FLAG > is set in DMAR ACPI table and there are PCIe devices marked as > is_external in the system. This can be turned off by adding > "intel_iommu=off" in the kernel command line, if any problems are > found. > > [1] https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt > > Cc: Ashok Raj <ashok.raj@xxxxxxxxx> > Cc: Jacob Pan <jacob.jun.pan@xxxxxxxxxxxxxxx> > Cc: Sohil Mehta <sohil.mehta@xxxxxxxxx> > Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx> > Signed-off-by: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx> Looks good to me Reviewed-by: Ashok Raj <ashok.raj@xxxxxxxxx> > --- > drivers/iommu/dmar.c | 25 +++++++++++++++++ > drivers/iommu/intel-iommu.c | 55 +++++++++++++++++++++++++++++++++++-- > include/linux/dmar.h | 8 ++++++ > 3 files changed, 86 insertions(+), 2 deletions(-)
